On Mon, Nov 9, 2020 at 4:26 AM Lance Yang <[email protected]> wrote: > > Hi Bruce, > > For the iptables issue, I tested iptables. > > As iptables comment module belonging to iptables extension, I checked my > kernel config and set the parameter: CONFIG_NETFILTER_XT_MATCH_COMMENT=m. > > iptables -V > iptables v1.8.5 (legacy) > > I used this iptables command to check > > iptables -A INPUT -p tcp --dport 22 -m comment --comment "SSH" -j ACCEPT > > It works fine from my side.
Yah, that's what I assumed it was as well, but yet, when I added it in .. I didn't see a change. That being said, this is helpful, so I started a clean build to see if I had picked up something stale that was masking my fix. Bruce > > Best Regards, > Lance > > > -----Original Message----- > > From: [email protected] > > <[email protected]> > > On Behalf Of Joakim Roubert via lists.yoctoproject.org > > Sent: Monday, November 9, 2020 3:49 PM > > To: Bruce Ashfield <[email protected]> > > Cc: [email protected] > > Subject: Re: [meta-virtualization][PATCH v5] Adding k3s recipe > > > > On 2020-11-06 22:20, Bruce Ashfield wrote: > > > > > > I now have another 6 or 7 WIP patches on top of this to try and get a > > > single node "cluster" working with k3s. I'll clean them up and get > > > them into the k3s WIP branch shortly. > > > > Awesome! > > > > > In your working references, which iptables do you have installed ? > > > (legacy ? nftables?) > > > > # iptables --version > > iptables v1.8.4 (legacy) > > > > > I'm failing to get flannel to start, with a series of errors like this: > > > > > > ----------- > > > I1106 21:19:00.985656 10641 eviction_manager.go:351] eviction > > > manager: able to reduce ephemeral-storage pressure without evicting > > > pods. > > > E1106 21:19:10.636899 10641 proxier.go:841] Failed to ensure that > > > filter chain INPUT jumps to KUBE-EXTERNAL-SERVICES: error checking > > > rule: exit status 2: iptables v1.8.6 (legacy): Couldn't load match > > > `comment':No such y Try `iptables -h' or 'iptables --help' for more > > > information. > > > I1106 21:19:10.641647 10641 proxier.go:825] Sync failed; retrying in > > > 30s > > > ------------ > > > > This is a bit strange, as it seems you are running in legacy mode too, > > although a somewhat > > newer version than I have, and the only thing I know is that Rancher > > recommends 1.6.1 or newer > > (which it is). > > > > https://rancher.com/docs/k3s/latest/en/known-issues/ > > > > Might there be something missing in the kernel? > > > > I have these RPMs installed in my image: > > > > iptables > > iptables-module-ip6t-ah > > iptables-module-ip6t-dnat > > iptables-module-ip6t-dnpt > > iptables-module-ip6t-dst > > iptables-module-ip6t-eui64 > > iptables-module-ip6t-frag > > iptables-module-ip6t-hbh > > iptables-module-ip6t-hl > > iptables-module-ip6t-icmp6 > > iptables-module-ip6t-ipv6header > > iptables-module-ip6t-log > > iptables-module-ip6t-masquerade > > iptables-module-ip6t-mh > > iptables-module-ip6t-netmap > > iptables-module-ip6t-redirect > > iptables-module-ip6t-reject > > iptables-module-ip6t-rt > > iptables-module-ip6t-snat > > iptables-module-ip6t-snpt > > iptables-module-ip6t-srh > > iptables-module-ipt-ah > > iptables-module-ipt-clusterip > > iptables-module-ipt-dnat > > iptables-module-ipt-ecn > > iptables-module-ipt-icmp > > iptables-module-ipt-log > > iptables-module-ipt-masquerade > > iptables-module-ipt-netmap > > iptables-module-ipt-realm > > iptables-module-ipt-redirect > > iptables-module-ipt-reject > > iptables-module-ipt-snat > > iptables-module-ipt-ttl > > iptables-module-ipt-ulog > > iptables-modules > > iptables-module-xt-addrtype > > iptables-module-xt-audit > > iptables-module-xt-bpf > > iptables-module-xt-cgroup > > iptables-module-xt-checksum > > iptables-module-xt-classify > > iptables-module-xt-cluster > > iptables-module-xt-comment > > iptables-module-xt-connbytes > > iptables-module-xt-connlimit > > iptables-module-xt-connmark > > iptables-module-xt-connsecmark > > iptables-module-xt-conntrack > > iptables-module-xt-cpu > > iptables-module-xt-ct > > iptables-module-xt-dccp > > iptables-module-xt-devgroup > > iptables-module-xt-dscp > > iptables-module-xt-ecn > > iptables-module-xt-esp > > iptables-module-xt-hashlimit > > iptables-module-xt-helper > > iptables-module-xt-hmark > > iptables-module-xt-idletimer > > iptables-module-xt-ipcomp > > iptables-module-xt-iprange > > iptables-module-xt-ipvs > > iptables-module-xt-led > > iptables-module-xt-length > > iptables-module-xt-limit > > iptables-module-xt-mac > > iptables-module-xt-mark > > iptables-module-xt-multiport > > iptables-module-xt-nfacct > > iptables-module-xt-nflog > > iptables-module-xt-nfqueue > > iptables-module-xt-osf > > iptables-module-xt-owner > > iptables-module-xt-physdev > > iptables-module-xt-pkttype > > iptables-module-xt-policy > > iptables-module-xt-quota > > iptables-module-xt-rateest > > iptables-module-xt-recent > > iptables-module-xt-rpfilter > > iptables-module-xt-sctp > > iptables-module-xt-secmark > > iptables-module-xt-set > > iptables-module-xt-socket > > iptables-module-xt-standard > > iptables-module-xt-statistic > > iptables-module-xt-string > > iptables-module-xt-synproxy > > iptables-module-xt-tcp > > iptables-module-xt-tcpmss > > iptables-module-xt-tcpoptstrip > > iptables-module-xt-tee > > iptables-module-xt-time > > iptables-module-xt-tos > > iptables-module-xt-tproxy > > iptables-module-xt-trace > > iptables-module-xt-u32 > > iptables-module-xt-udp > > > > and in my kernel config, I have (apart from what is needed for running > > containers with > > containerd): > > > > CONFIG_NETFILTER_NETLINK=m > > CONFIG_NETFILTER_XT_MATCH_OWNER=m > > CONFIG_NET_UDP_TUNNEL=m > > CONFIG_NF_DUP_NETDEV=m > > CONFIG_NF_LOG_BRIDGE=m > > CONFIG_NF_TABLES_ARP=y > > CONFIG_NF_TABLES_BRIDGE=y > > CONFIG_NF_TABLES_INET=y > > CONFIG_NF_TABLES_IPV4=y > > CONFIG_NF_TABLES_IPV6=y > > CONFIG_NF_TABLES=m > > CONFIG_NF_TABLES_NETDEV=y > > CONFIG_NFT_BRIDGE_REJECT=m > > CONFIG_NFT_CHAIN_NAT_IPV4=m > > CONFIG_NFT_CHAIN_ROUTE_IPV4=m > > CONFIG_NFT_CHAIN_ROUTE_IPV6=m > > CONFIG_NFT_COMPAT=m > > CONFIG_NFT_COUNTER=m > > CONFIG_NFT_CT=m > > CONFIG_NFT_DUP_IPV4=m > > CONFIG_NFT_DUP_IPV6=m > > CONFIG_NFT_DUP_NETDEV=m > > # CONFIG_NFT_EXTHDR is not set > > CONFIG_NFT_FIB_INET=m > > CONFIG_NFT_FIB_IPV4=m > > CONFIG_NFT_FIB_IPV6=m > > CONFIG_NFT_FIB_NETDEV=m > > CONFIG_NFT_FWD_NETDEV=m > > CONFIG_NFT_HASH=m > > CONFIG_NFT_LIMIT=m > > CONFIG_NFT_LOG=m > > CONFIG_NFT_MASQ_IPV4=m > > CONFIG_NFT_MASQ=m > > # CONFIG_NFT_META is not set > > CONFIG_NFT_NAT=m > > CONFIG_NFT_NUMGEN=m > > # CONFIG_NFT_OBJREF is not set > > CONFIG_NFT_QUEUE=m > > CONFIG_NFT_QUOTA=m > > CONFIG_NFT_REDIR_IPV4=m > > CONFIG_NFT_REDIR=m > > CONFIG_NFT_REJECT=m > > # CONFIG_NFT_RT is not set > > # CONFIG_NFT_SET_BITMAP is not set > > # CONFIG_NFT_SET_HASH is not set > > # CONFIG_NFT_SET_RBTREE is not set > > CONFIG_OVERLAY_FS=m > > CONFIG_STP=m > > > > BR, > > > > /Joakim > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6028): https://lists.yoctoproject.org/g/meta-virtualization/message/6028 Mute This Topic: https://lists.yoctoproject.org/mt/77679236/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
